Int'l Cyber Cooperation Requires Baby StepsVartan Sarkissian, Worldwide Cybersecurity Initiative Director, EastWest Institute
But to Vartan Sarkissian, Worldwide Cybersecurity Initiative Director, the Institute's worldwide cybersecurity initiative director, such critics failed to understand the purpose of the conference. Among the goals of the conference was to assemble IT security leaders - including those from the United States, China, Russia, Canada, France, Germany, India and South Korea - to begin the long process of building trust, which would provide the foundation for any substantial agreement to battle cyber threats.
"We need to find issues that are of mutual interest, and work around those, what I call the low-hanging fruit, and build these relationships, build this dialogue, and then later address the others if possible," Sarkissian said in an interview with GovInfoSecurity.com (transcript below). "What we cannot do is sit here and say, 'Why don't we tackle the most complex issue today, when we don't have any dialogue, when we do not have any trust and see if we can solve it.' That would be impractical."
In the interview, conducted by GovInfoSecurity.com's Eric Chabrow days before the event, Sarkissian also addressed the suspicions most nations have of one another as cyber aggressors and why battling cybercrime is a good starting point for the nations to address common cyber defense approaches.
Besides his role at the EastWest Institute, Sarkissian is a venture capitalist who has invested in online social networking.
ERIC CHABROW: For those who are unfamiliar, please take a few moments to tell us about the EastWest Institute and its Worldwide Cybersecurity Initiative.
VARTAN SARKISSIAN: The EastWest Institute was co-founded by John Mroz, who is currently the founder, CEO and president of the Institute, about 30 years ago, to tackle the toughest questions and issues of that, when it comes to politics, geopolitics, or governmental relations. One of the top issues that the EastWest Institute is tackling and addressing right now is cybersecurity, as it is becoming more and more and more important, we have also realized that there is a lot of chaos within this sector. The EastWest Institute is, at the moment, in a sense, in the middle, acting as a catalyst, bringing various parties together, in order to create an efficient dialogue. Hence, the start of the Worldwide Cybersecurity Initiative. The initiative will act as a catalyst, but also is a method of education and introducing education and awareness at various levels.
CHABROW: Is there a common view of what are the major cybersecurity challenges from nation to nation, or does each country have their own particular outlook?
SARKISSIAN: I would say both. There are a lot of issues that are cross-sector, first of all, so all of the sectors have the same issue, and they need to solve the same issue, and of course, then you have sector-specific issues. Then you have cross country issues. And, then you have country-specific issues. The challenge is not only finding these issues and mutually agreeing what they are, and then starting to tackle them one by one, but the challenge goes even a bit deeper than that. It even goes into terminology. How does one define cyber? What is cyber? Is it a combination of computers? Is it a combination ... does it include this technology or that technology? What kind of communication? Then you have various languages coming into it, as well. Whereas, information security, or network security, and then cybersecurity ... given all these various challenges, that creates a lot of confusion in the international arena, where you have somebody saying, "This is a very specific issue to us," and they define it in a certain way, but then suddenly you realize this is something else, and in our country, we're defining it in a different way.
CHABROW: I think many people in the United States were surprised when the Center for Strategic and International Studies in late January issued a survey of global security executives, who said they had greater concern of the U.S. attacking their networks than they did of China or Russia. How is the U.S. perceived as a threat to cybersecurity around the world?
SARKISSIAN: To be honest, Eric, everyone is worried about the other person. Every country is worried about their neighbor. What are they doing? Who is responsible? What are the latest achievements there? The U.S. is not perceived any differently than every other country perceives the other country. It's a bit of a Wild West at the moment, where nobody knows what is going on, nobody knows who is doing what. Keeping that in mind, it is interesting observing that pretty much everyone is looking over their shoulders to the other person, and wondering what they are up to.
CHABROW: So, it sounds like there is a lot of distrust out there.
SARKISSIAN: How is distrust built? It is built if there is no dialogue. Distrust happens when people aren't talking, when we are all operating blindly. That is exactly why this initiative was created, to avoid this kind of an escalation, so that we can start talking in a very relaxed manner, and be able to say what the issues are on one hand, and listen to the other party's issues, and then slowly bring those together on selective matters and selective topics. And then, at least know that, okay, we cannot discuss certain important topics that involve national security, for example, but at least we can start talking and focusing around topic that are of mutual concern. For example, cyber crime. We are seeing that, although there is mistrust between various countries, there is also something that is essentially different than it used to be, years ago, when we were talking about international relations. Now the world has changed, from a world of enemies and an arms race, to a world of risks and dangers, and a common enemy, the hacker, or somebody who is out there to steal our identity, our information, our credit card numbers. So, cybercrime is another glue that is bringing all of us together, all of these countries that have, for a while, been very untrusting of each other, are suddenly realizing that in order to solve these issues, they actually do need to exercise an element of trust, and start sharing information and operations in order to catch these people. Because, the cyber world is a different world. It's not a world where you can directly link an attack from a specific country. Attribution is a huge problem in this. Tackling these issues of mutual interest, such as cybercrime, would actually clear the mist around the mysticism of this sector. Being able to internationally solve cybercrime issues would clear the bandwidth, in sense. You would start knowing what would a particular attack, or an incident in cybercrime were different. This dialogue and trust would start being elevated.
CHABROW: You know, I'm listening to you, and I'm thinking that some of the concerns that, at least the United States government has, such as people from abroad, whether they are hacking into government systems, or systems of American businesses, is not the major issue to start out with at a conference like the one you're having, or any other kind of meeting, but to attack things that everybody can agree upon is a problem that maybe can be resolved, and then work from there, to maybe handle all their problems.
SARKISSIAN: Yes, exactly. We need to find issues that are of mutual interest, and work around those, what I call the "low-hanging fruit," and build these relationships, build this dialogue, and then later address the others if possible. What we cannot do is sit here and say, "Why don't we tackle the most complex issue today, when we don't have any dialogue, when we do not have any trust, and see if we can solve it." That would be impractical.
CHABROW: Anything else you'd like to add?
SARKISSIAN: These are crucial steps, and we need to find solutions for these vulnerabilities before any actual threats have happened. So, we are all understanding of the need to talk, the need to understand each other, the need to consider each other's cultures, the need to bring these people around the same table and see the hundred issues out there - even if we solve 20, we are already in a less risky world.